PSGumshoe

1.6

EventLog/Get-SysmonRuleHash.ps1

                                function Get-SysmonRuleHash {

    <#

    .SYNOPSIS

        Get a hash for the currently configured Sysmon rules on a host.

    .DESCRIPTION

        Get a hash for the currently configured Sysmon rules on a host. The hash is generated from

        the binary value found under the driver configuration.

    .EXAMPLE

        PS C:\> Get-SysmonRuleHash -HashAlgorithm SHA1

        ComputerName    DriverName Hash

        ------------    ---------- ----

        DESKTOP-4TVLVMD SysmonDrv  5FCE2EA1583DBBD5B141EFD04BA36209F5AFE1FC

        Generate a SHA1 for the ruleset on the current host.

    .INPUTS

        String

    .OUTPUTS

        PSCustomObject

    .NOTES

        General notes

    #>

    [CmdletBinding( DefaultParameterSetName = "UseComputer")]

    param (

        # Name of Sysmon driver.

        [Parameter(ValueFromPipeline = $true,

            ValueFromPipelineByPropertyName = $true)]

        [string]

        $DriverName = "SysmonDrv",

        # Computer name, IP or FQDN of host to connect against using CIM.

        [parameter(ValueFromPipeline = $true,            

            ValueFromPipelineByPropertyName = $true)]            

        [parameter(ParameterSetName = "UseComputer")]             

        [string]

        $ComputerName = "$env:COMPUTERNAME",            

        # CIM Session to remote host.

        [parameter(ValueFromPipeline = $true,            

            ValueFromPipelineByPropertyName = $true)]            

        [parameter(ParameterSetName = "UseCIMSession")]             

        [Microsoft.Management.Infrastructure.CimSession]

        $CimSession,

        # Hash Algorithm to use when generating the hash.

        [Parameter(ValueFromPipeline = $True,

            ValueFromPipelineByPropertyName = $true)]

        [ValidateSet("MD5", "SHA1", "SHA256", "SHA384", "SHA512")]

        [string]

        $HashAlgorithm = "SHA256"

    )

    begin {

        [uint32]$hdkey = 2147483650

        $hashType = [Type] "System.Security.Cryptography.$HashAlgorithm"

        $hasher = $hashType::Create()

    }

    process {

        $arglist = @{

            hDefKey = $hdkey

            sSubKeyName = "SYSTEM\CurrentControlSet\Services\$($DriverName)\Parameters"

            sValueName = "Rules"}

        switch ($psCmdlet.ParameterSetName) {            

            "UseComputer"    {

                if ($ComputerName -eq $env:COMPUTERNAME) {

                    $result = Invoke-CimMethod -Namespace "root\cimv2" -ClassName StdRegProv -MethodName "GetBinaryValue"  -Arguments $arglist

                } else {

                    $result = Invoke-CimMethod -Namespace "root\cimv2" -ClassName StdRegProv -MethodName "GetBinaryValue"  -Arguments $arglist -ComputerName $ComputerName

                }

            }            

            "UseCIMSession"  {$result = Invoke-CimMethod -Namespace "root\cimv2" -ClassName StdRegProv -MethodName "GetBinaryValue"  -Arguments $arglist -CimSession $CimSession }            

            default {}            

           }   

           if ($result.returnValue -eq 0) {

                $objProps = [ordered]@{

                    'ComputerName' = $ComputerName

                    'DriverName' = $DriverName

                    'Hash' = ([System.BitConverter]::ToString($hasher.ComputeHash($result.uValue))).Replace("-",'')

                } 

                [PSCustomObject]$objProps

            } else {

                Write-Error -Message "No ruleset found in $($ComputerName) for driver $( $DriverName )"

            }

    }

    end {

    }

}